We partner with ethical hackers and security researchers to proactively identify vulnerabilities in our infrastructure. Help us keep CloudNexus safe.
We focus on critical infrastructure, customer-facing applications, and API endpoints.
Payouts are based on severity, impact, and quality of the report. Duplicate reports receive 10-20% of the base reward.
| Severity | Description | Payout |
|---|---|---|
| Critical | RCE, SQLi, Auth Bypass, Data Exfiltration, Privilege Escalation | $15,000 - $50,000 |
| High | IDOR, Stored XSS, Insecure Direct Object Reference, Sensitive Data Exposure | $5,000 - $10,000 |
| Medium | Reflected XSS, Open Redirect, CSRF without auth token, Weak Rate Limiting | $1,000 - $3,000 |
| Low | Information Disclosure, HTTP Header Misconfigs, Minor Logic Flaws | $200 - $500 |
| Informational | Best Practice Violations, Cosmetic Issues, Non-actionable findings | Swag / Recognition |
Follow responsible disclosure practices. Violations may result in immediate removal from the program.
Manual testing, authenticated scans, proof-of-concept exploitation that does not impact availability or data integrity.
Deleting/modifying production data, credential stuffing, scraping, brute-forcing, or testing against out-of-scope assets.
Clear title, detailed reproduction steps, CVSS vector, screenshots/PCAPs, and suggested mitigation if possible.
Do not publicly disclose findings until CloudNexus has patched and acknowledged the vulnerability. Embargo: 90 days max.
Good-faith researchers acting within scope are protected from legal action. We do not pursue litigation for responsible disclosure.
Top-tier researchers can apply for exclusive private access to unreleased products, higher bounties, and direct eng triage.
We value privacy and security. All submissions are encrypted and handled by our dedicated security triage team.
Find a vulnerability within in-scope assets using responsible methods.
Record exact steps, payloads, environment details, and impact analysis.
Use our PGP key to encrypt sensitive payloads and report details.
Send to our secure mail alias. Expect triage response within 48 hours.
PGP Key (4096R): 0x8F4A 2B9C 1E7D 9F3A • Triage SLA: 24-48h
Everything you need to know before starting your hunt.
Payouts are processed via Stripe, Wise, or cryptocurrency (USDC/BTC) within 14 days of patch verification. All payments are fully tax-compliant with 1099/W-8 forms handled automatically.
If a vulnerability is already under investigation, the first valid reporter receives the full bounty. Subsequent valid reports receive 10-20% as a courtesy reward. You'll always get credit in our public hall of fame.
Lightweight, authenticated scanning is permitted. Aggressive or unauthenticated automated scanning that may trigger DDoS protection is strictly prohibited. Contact us for large-scale scan requests.
Yes. While English is preferred for faster triage, we support submissions in Spanish, French, German, and Mandarin. Technical steps and payloads should remain clear and executable.
We use CVSS v3.1 as the baseline, adjusted for real-world exploitability and business impact. Final severity is determined by our security engineering team during triage.